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ACCESS CONTROL ENHANCEMENTS FOR DELIVERY OF VIDEO AND 
OTHER SERVICES 

P\f\p OF THE INVENTION 

Tha present Invention relates to a method and apparatus for secure delivery of 
services over local access networks, and In particular shared medium access 
networks, and a system Incorporating the same. 



This Invention relates to shared medium access networks, such as satellite, 
LMD8, UMTS, cable modem or fibre In the loop access networks, in particular to 
fibre to the home (FTTH). The following description relates to FTTH, but it will 
easily be seen how It applies to other scenarios with similar characteristics. 
FTTH networks can be made more economic by sharing fibre facilities and head 
end equipment across a number of customers. Passive Optical Networks (PONs) 
fall Into this category. In such a network, a single head and node, normally 
physically located on the network provider's premises, connects to a number of 
customer located outstattons via a paastve optical splitter (POS) which provides 
afanout to (typically) 16 outstatlons. 

Traffic transmitted In the downstream direction (from the head end to the 
□utstattone) appears at all outetatioriB and la selected by a given outstatlon 
based on an address Included In a header associated with each data packet In 
tha upstream direction a multiple access protocol Is used to ensure that only one 
outstatlon transmits Information at a time. 

Such networks can be used to transmit multiple aervlcBs to a customer, Including 
video services and data services. On the customer premises an Optical Network 
Unit (ONU) connects to the fibre network and provides one or more Interfaces to 
which the customer can attach end user equipment. This equipment might 
Include ohb or mora Set Top Boxea (STBs) for interfacing video services to a 
tBlevlBlon set and one or more personal computers. Each of theee devices could 
connect via, for example, an Ethernet interface. 

The ONU wiii normally be supplied by the network operator who can control the 
software .Included within the ONU Itself. Devices attached to the Ethernet 
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Interfaces, however, are often outside the contra! of the network operator and the 
and user may' therefore be able to load software which is outside the control of ■ 
the network operator. 

Video services consist of television channels which can be selected for viewing 

5 by Individual end users and can be classified Into two categories: multicast and 
Video on Demand (VOD). Multicast video channels are viewed simultaneously by 
a number of users. Such channels may include, for example, standard broadcast 
channels, subscription channels (where the user pays a monthly fee for the right 
to vfew the channel whenever he wants) and pay per view channels (where the 

io ' user pays to view a particular programme), VOD channels are programmes 
requested by a particular user and supplied only to that user; Each VOD channel 
requires a dedicated data path from a video server within the network. Multicast 
channels avoid dedicated paths from the server to each user by Including 
multicasting features in the data path, typically using a router situated at the 

15 head end of the access netwgrk. When the first user requeets a multicast 
channel, that channel is delivered to the head end router from the server and a 
connection Is made through the router to the access network. If another user 
subsequently requests to view the sama channel, a second connection is made 
within the router to cause the channel to be sent out on the interface to which the 

20 second user Is connected. Since the second user Is joining an existing channel, 
no additional data capacity Is required on the link between tha server and the 
router, Protocols exist for signalling from an end user device to a router to join 
and leave a multicast group. When the data transmlaston Is based on Internet 
Protocol (IP), a multicast signalling protocol known as Internet Group 

25 Management Protocol (IQMP) may be used, conventionally in IP networks, a 
multicast stream Is given a destination IP address drawn from a group of 
addresses reserved for multicast IP packets. Similarly, when using Ethernet as 
the medium access control (MAC) layer, the destination MAC address Is drawn 
from a group of addreesss reserved for multicast Ethernet frames. Thus at both 

so the IP layer and the MAC layer, the address used represents the content of the 
multicast data stream rather than Identifying a specific destination. 

An algorithm for mapping IP layer multicast addresses to MAC layer multicast 
addresses Is given In the Internet Engineering Task Force (IETF) Request for 
Comment (RFC) niz This Is a many to one mapping where a single MAC 
35 address could represent many different schemes. In systems using this mapping, 
the multicast channel cannot be Identified uniquely at the MAC layer and the IP 
layer destination address must be checked to guarantee uniqueness. 
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]n a variation of the multicast protocol, known ae source specific multicast .(8SM), 
both the source IP address and the destination IP address are required to 
Identify uniquely a specific multicast stream. In a system using SSM the 
destination multicast MAC address Is not guaranteed to be unique. Since current 
protocols do not reflect the source IP address in the source MAO address, SSM 
channels cannot ba uniquely Identified at the MAC layer' and the source address 
at the IP layer must be checked. 

A problem arises When the end user connection la a shared mBdium network 
(such as a PON): a multicast stream will be delivered to the ONUe situated on 
Hie premises of all end users on the PON whenever one of the users requests 
that stream and, by listening to traffic on that address, a second user would be 
able to view the service even though he may not have paid to receive It. This 
could lead to loss of revenues to the content provider which Is highly undesirable. 



OBJ ECT OF TH E lNVErJTION 

js The Invention seeks to provide an Improved method and apparatus for 
overcoming one or more problems associated with iha prior art. 

SMfflMAflV OP THE INVENTION 

According to one aspect of the present Invention there Is provided a network 
access unit for restricting ueer access to eignala transmitted on a local accede 
20 network and comprising: a port for receiving a channel request from a UBer; a 
channel request vetting unit for vetting the request with respect to a 
predetermined list of permitted channels; a transmitter for forwarding the 
channel request responsive to the vetting. 

In one preferred embodiment the unit also comprises: a receiver arranged to 
25 receive control signals from a network headend for updating the permitted list 

In a further preferred embodiment, a time Is associated with at least one channel 
In the predetermined Hat of channels and In which the channel vetting unit vets a 
request for the at least one channel with respect to the time. 

fn a further preferred embodiment, the iocs! access network Is a shared mBdium 
30 access network. 

in a further preferred embodiment, the unit Is arranged to reeolv© elgnale over an 
optica! medium. 
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According to a further aspect of the present invention there la provided a 
customer premises equipment, comprising a network access unit according to 
claim 1. 

According to a further aspect of the present Invention there Is provided an optical 
3 access network comprising a network access unit according to olafm 1 . 

According to a further aspect of the present Invention there Is provided a content 
service provider aerver arranged for connection to a network and comprising: a 
transmitter for transmitting one or more content channels and channel control 
signals to a remote network access unit containing a permitted channel list; In 
10 which the control signals are 'intended to update the permitted channel list so as 
to control subscriber access to the transmitted content channels. 

Preferably, the control eignalB contain time-related Information for association In 
the permitted list with one Dr more channels. 

The invention also provides for a telecommunications system which comprises 
15 one or mora Instances of apparatus embodying the present Invention, together 
with other additional apparatus. 

The Invention Is also directed to a method by which the described apparatus 
operates and Including method stepa for carrying out avary function of the 
apparatus. 

20 In particular according to a further aspect of the present Invention there Is 
provided a method of restricting user access to signals transmitted on a local 
access network comprising the steps of: receiving a channel request from a 
user at a first port; vetting tine request with respect to a predetermined list of 
permitted channels; forwarding the request responsive to the vetting. 

25 Preferably, the method also comprises the steps of: receiving a control signal 
from a network headend; updating the permitted list responsive to the control 
signal. 

Preferably, the method also comprises the steps oft associating a lime with at ■ 
least one channel In the predetermined list of channels; vetting the request with 
30 respect to the time. 

Preferably, the channel request Is carried In an IQMP message. 
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According to a further aspect of the present Invention there is provided a method 
of operating a service provider server comprising the steps of : transmitting one 
or mora content channels and channel control signals to a remote network 
access unit containing a permitted channel list; in which the control signals are 
Intended to update the permitted channel list so as to control subscriber access 
to the transmitted control channels. 

Preferably, tha method also comprises the steps of: receiving a user initiated 
request to change channel subscription dBtalls; transmitting a permitted charmoi 
list update signal responsive thereto to a remote network access unit associated 
with the user. 

According to a further aapBd of the present Invention there Is provided a use of 
an IQMP vetting function In ouotomer premises equipment to provide secure 
multicast over a network. 

According to a further aspect of the present Invention there is provided a use of 
an IQMP vetting function and a network receive address filter In customer 
premises equipment to provide secure multicast over a network. 

The Invention Is also directed to a program for a computer, comprising 
components ananged to perform each of the method functions). 

In particular, according to a further aspect of the present Invention there Is 
provided a program for a computer on a machine readable medium arranged to; 
receive a channel request from a user at a first .port; vet the request with 
respect to a predetermined list of permitted channala; forward the request 
responsive to the vetting. 

In particular, according to a further aspect of the present Invention there Is 
provided a control signal intended for transmission to a network access unit 
having a permitted channel .list, comprising at least one message comprising 
network access unit permitted channel list update information. 

Preferably, the at leaeit one moeoago contains time-related Information for 
association in the permitted channel list with one or mora channels. 

Preferably, tne control signals comprise IQMP messages. 

Advantageously, the aspects of the present Invention provide improved security 
for multicast services (for example multicast video) with minimum increase In 
ONU complexity. 
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The prsfarrad features may be combined as appropriate, aa would be apparent 
to a skilled person, and may be combined with any of the aspects of the 
Invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

In order to show how the Invention may be carried Into effect, embodiments of 
the Invention are now described below by way of example only and with 
reference to the accompanying figures In which: 

Figure 1 shows a schematic diagram of a telecommunications network in 
accordance with tha present invention; 

Figure 2 ahowa a schematfa diagram of an Optica] Network Unit (ONU) In 
accordance with the present Invention; 

Flgurd 3 shows an example- of multi-oaet broadcast channel packages 
arrangement (n accordance with the presant Invention; and 

Figure 4 shows a further schematic diagram of a telecommunications network In 
accordance with the present Invention. 

DETAILED PESCRIPTtQN QF INVENTION 

Referring to Figure 1, there la shown a system overview of ona possible 
embodiment of an end-to-end network for delivery of multicast video services 
Incorporating a Passive Optical Network {PON) based access network. Only 
those elements relevant to the present Invention are shown. 

The headend 10 comprises a Router 110 and one or more Optical Une 
Termination unfts (OLTs) 120-131. The Router comprises a Packet Forwarder 
111 and a signal processor 112 In the downstream direction, each OLT receives 
packets from tha router, adds any protocol and control Information needed to 
Implement the PON protocol and converts the data stream to an optical signal for 
transmission onto the shared optical medium ao to cms or more end uaors. In the 
upstream direction, the OLT 120 receives an optical signal which has been 
multiplexed onto the medium by one or more ONUa 30, and extracts the data 
stream to be sent to the Router for onward transmission. Optionally, the OLTs 
1 20-1 21 may be physically Integrated Into the head end router 1 1 o. 
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A Video Server 40 acts as the source of multiple multicast video programmes, 
each of which Is transmitted as a separate packet stream identified by an 
address In the packet header. Typically, the data link 60 to the server will be a 
packet switched path across an IP network, in a practical system, multiple 
additional servers would be used to deliver many services to the end user, 

A Billing and, Administration function,, or unit, 50 holds Information Identifying 
whloh multicast streams each end user Is entitled to receive. 

In the example network shown, each' OLT connects to an optical network 
Incorporating a signal splitter 210 auch that a single OLT la able to exchange 
Information wlth'multtple ONUs 30 situated on and user premises. In a preferred 
embodiment the aldnal splitter 210 Is a passive optical splitter. 

Each ONU may connect to one or mors end user Information devices such as 
television Set Top Boxes (STBs) 70-71 and Personal Computers (PCs) BO for 
video and data applications respectively, 

Figure 2 shows an example of ONU 30 In more detail. A Network Receive 
function 31 converts downstream optical signals from the network connection 
211 Into electrical signals and passes on to the Packet Biter 32 only those 
Information packets Intended for the attached user. Other packets directed to 
other PON users are' blocked. The addresses of packets to ba passed through 
are contained In the Address Ust 33. In this arrangement, the Address List may 
be modified dynamically according to the video channel requested by the end 
user. 

The Packet Filter 32 extracts from the packet stream those packets which are 
directed to the Management Processor function 34 within the ONU, Other 
packets are passed on to the Ethernet Switch 35 to which multiple and user 
information devices 70-71, BO are connected. 

Information packets received by the ONU from end user devices 70-71, ao pass 
via the Ethernet Switch 35 to the Control Packet Filter 38. Channel change 
requests from the end user are encapsulated Into control packets by the set Top 
Sox 70-71, and PC 80 and sent to the ONU, Packets recognised as multicast 
video control paokota are extracted end pasaed to the IQMP Vetting function 37. 
Other paokete are forwarded to the Network Transmit function 38 which 
Implements the PON upstream transmission protocol and sends packets 212 via 
the local PON to the head end 10 at the appropriate time. 
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Multicast control packets siBnt to the IGMP Vetting: function 37 are checked 
against the Permitted Channels list 39. it the requesting user Is eligible to receive 
. the requested channel, the IGMP Vetting function forwards the request to the 
head end via Network Transmit function 38. 

5 Optionally, instead of blocking a request for a prohibited channel, the IGMP 
Vetting function 37 may modify the content of the request packet and forward to 
the network a modified request to connect the end user device to a video stream 
inviting tne' user to subscribe to the service he has requested but la not yat 
eligible to receive. 

to Forwarding the IGMP request to the headend 10 when it la not prssant In the 
permitted channel list would causa the head end router to add the stream to the 
compoelta data stream tranamhtod on the eharad downstream medium. A 
malicious user could Initiate many (multi-cast) channel Jains, thus increasing the 
amount of capacity occupied on the downstream link and potentially denying 
15 service to others- Consequently, requests for channels not on the permitted 
channel list are preferably not forwarded. 

It would be technically possible to reduce the susceptibility to denial of service 
attacks by Intercepting IGMP messages in the head end router, but this would 
require non-standard features In the router and may not scale Wei! when large 
numbers of customers are connected. 

Unless additional capabilities ere added In the ONU, as described above, theft of 
service can only be addressed In the router by Including encryption of the 
multicast streams within trie head end equipment using additional hardware 
processing data streams at the line rate of the access network. Decryption In the 
IS ONU would Increase complexity In a cost-sensitive area of the system. 

It is desirable that the end user should be made aware when he requests 
■channels ha Is not authorised to receive. 

If the user makes repeated such attempts It may also be desirable to Inform the 
management system, either as part of a policing function or a marketing 
30 opportunity. 

Optionally, If the Vetting function detects (multiple) attempts to connect to' 
unauthorised channels, the ONU 30 may send a message to the Billing and 
Administration system 50. 




2007* 7A26B 2HM ' ' S. YAMAMDTO OSAKA 
S. YAMAMOTO OSAKA 



fO.9*09 5 . 22/3) 



Once It Is determined that the user is eligible to receive a requested channel, the 
Management Processor 34 is notified and it adds to the Address List 33 the 
multicast address which will be used In Information packets carrying data for the 
selected channel. Such packets are thBn allowed through the Network Receive 
function 31 and forwarded to the Ethernet Switch 34 and thence to the end user 
Information dwlee 70-71 ,80. 

In the head end router 110, IQMP messages are forwarded to a Signalling ■ 
Processor 112 which Instructs . ths Packet Forwardor 111 to add the hew 
connection to the selected multicast stream so as to 'cause the stream to be 
forwarded to the end User via the OLT. Because the vetting function In the ONU 
ensures that no requests for unauthorised channels are passed to the network, 
no additional vetting Is needed In the router. 

Optionally, Instead of gensratlng IGMP messages In response to user requests 
to change channels, the STB 70-71, 80 may Instead generate control messages 
in some other format which Is Interpreted by the ONU and translated to IQMP 
massages before forwarding to the OLT. The ONU then act on the interpreted 
messages in a way similar to that described above for Incoming IGMP 
messages. 

The Permitted List 3S Is populated from the head end 10 using management 
messages sent as part of the downstream traffic and delivered to the 
Managoment Processor 34 via the Packet Filter 32. The permitted list may take 
different forme depending on the Implementation, Including but not limited to: a 
list of specific channels which the customer is eligible to receive; a list of 
channels the customer Is to be prevented from viewing; or a set of rules to ba 
applied to a request to determine whether a given channel is to be permitted or 
not, (An example of a set of rules for this Iwt alternative oan bo derived from 
the semantics of the Unix 'hoats.allow / hosts-deny command.) 

The system Is preferably based on the Internet Protocol suite. In an ONU using 
bridging (MAC layer forwarding) the IQMP Vetting function 37 is preferably 
performed using MAC addroeeee; In an ONU ualng routing (IP layer fon*/ardlng) 
the IQMP Vetting function 37 Is preferably performed using IP addresses. To. 
■ minimise ONU complexity and improve throughput, blocking of prohibited 
Incoming multicast channels via the Network Receive function may be 
performed using MAO address matching- 



2007* 7H26B 2*12* S. YAWAMOTO OSAKA 
S. YAMAMQTG OSAKA 



NO. 9409 p . 23/37 



WO 01/45334 PCT/GB01/OS203 
-10- 

Where the mapping from IP layer multicast addresses to MAC layer multicast 
addresses uses IETF RFC 1112, and ths IGMP Vetting function 37 ta performed 
using MAC addresses, the IGMP Vetting function may ajao optionally check the 
destination multicast IP address, Where the mapping from IP layer' multicast 

5 addresses to MAC layer multicast addresses uses IETF RFC 1 1 12 and blocking 
of prohibited Incoming multicast channels via the Network ReeeK/o function Is 
performed using MAC address matching, the Network- Receive function 31' may 
optionally also cheok the IP dastinatlon address, but preferably only if the MAO 
layer address matching function tndloates that the user may be eligible to receive 

io the designated stream. 

Where source specific multicast (SSM) Is used In conjunction with IP layer 
vetting, the vetting function should preferably check both source and destination 
addresses to determine eligibility to receive a particular stream. Where SSM Is 
used In conjunction with MAC layer vetting, the vetting function Bhould preferably 
\6 also eheok the IP addressee. Where SSM le uead, the Network Recelvo function 
should also preferably check the IP addresses. Where SSM Is used, preferably 
the Network Receive function should check the IP addresses only If an address 
match is detected at the MAC layer, 

At the video IP headend, a Protocol Stack such as MPEG-2/RTP/UDP/lP/PON 
20 Multi-cast Groups may be employed. Source addresses of IP and MAC are 
defined and transmitted. 

All available video channels may be, and Ideally are, provided to ths OLT. The 
OLT Is arranged to set up and maintain receipt of all IP muitl-cast channels. 
There may, for example be 200 channels provided by a single provider. The 
25 OLT also Altera out upstream IGMP requests, 

Figure 3 shows how a set of channels may be mapped to multicast IP 
addresses. The channels may be provided, on subscription or otherwise, In 
groups of channels, for example as a basic packages and one or more premium 
rate packages. 

30 At the set top box (STB), conventionally the allowable TV channel list is loaded 
by a service provider each time the STB boots up. It should be noted that this 
feature Is for the convenience of the viewer, but does not protect the service 
against unauthorised access from an alternative Information device such ae a 
PC. Set top boxes preferably use IGMP version 0, or a protocol having similar 

35 functionality. 
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A method for handling a first channel request from a user on, for example set top 
box #1 , comprises the steps of: . 

1 . STB TO requests a channel (for example ohannel2) by lnaulhfl a join 
IP multi-cast request for a specific channel !P address (for example) 
225.0.1.2 

2. Ths ONU receives IGMP Join request 

3. The ONU checks that the requested channel Is on Its list of allowable 
channels and sends an IGMP request for the selected channel (223.0,1.2) up 
to the headend unit 10 and starts listening for multicast elgnais en that 
address (225.0.1 .2) 

4. The headend unit 10 receWas the IGMP request to Join the channel 
(2). 

■ If the requested channel Is already being transmitted on that link,- the 
headend unit continues and may optionally log the IP address of the 
requesting STB. 

. If ths requested channel is not airsady being transmitted on that link, 
the requested channel la Btreamed on to the requesting link by the 
headend and optionally the IP address of the requesting STB Is 
togged. 

) 5. The ONU 30 receives the video packets of channel 2 and forwards 

these streams onto the port of the requesting STB. 

An example of a method for handling a channel change request from a user on, 
for example set top box #1, comprises the steps of: 

1. A user on STB 70 currently watching a first channel {for example 
S channel 2) presses a channel change to watch a second channel (for 

example, channel 3). 

2. STB 70 transmits a leave message for channel 2 (leave IP multi-eaat 
225.0.1 ,2> and a join request for channel 3 (Join IP multi-cast 225,0,13 ) 

3. Ths ONU 30 receives the IGMP leave' request and sends It up to the 
0 headend 10. 
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4. The ONU 30 checks that channel 3 is on Ite list of allowable channels 
for that STB, and sends IQMP request for 22$.0,1,3 up to the headend 10 
and starts listening for transmission on the requested address (225.0.1.3), 

6. The headend 10 receives the IQMP request to leave channel 2, 

• If STB 70 was the only user requesting that channel on that link, 
transmission of that channel on that link may be suspended, and 
optionally the IP address of the requesting QT3 may be unbgged. 

• If STB 70 was not the only user requesting that ohahnel on that link, 
transmission of that channel on that link may continue, and optionally, 
the IP address of the requesting STB may be unlogged. 

a. The headend 10 receives the IQMP request to Join the newly 
requested channel (channel 3). 

• If that channel was already being transmitted on that lfnk, the 
headend 10 continues and optionally logs the IP address of the 
requesting STB 70. 

• If that channel was not already being transmitted on that link, the 
newly requested channel (channel 3) is streamed on to the requesting 
link by the headend 10 and optionally the IP address of requesting the 
STB Is logged. 

7. The ONU 30 receives the video packets of me requested channel. 
The ONU ceases forwarding the channel 2 stream to the user and Instead 
forwards the newly requested channel stream (channel 3) onto port of the 
requesting STB. 

By associating a time or times with a channel In permitted list, a pay-per-view 
scheme can be supported 63 well as' the pay-per-channai scheme described 
above. In particular, It the ONU 30 comprises a real-time clock (or has access to 
a periodic real-time signal from the network or elsewhere) a user may subscribe 
to a channel for a limited time period, for example; 

• the permitted list may aesoclale a single end-time with each channel after 
which the channel is deleted form the permitted list, allowing Immediate 
subscription by a user to the current channel; up to, say the end of a 
currently broadcast film; 
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. the permitted list may aeeociate both a start and end time with each 
channel which la then made available only between the start time and the 
end-time, allowing advance booking of pay-per-view services; 

. the parmltted Hat may associate more complex time intervals with any 
given channel so as to support, for example, subscription to a particular 
channel only up until 9:00 p.m. .where, for example, a channel provider 
operates a voluntary ban on transmission of "adult* channel content 
before mat time in the evening'. Other options Includa ttme-oWay, and 
tlme-of-week constraints, for which differing subscription rates might 
apply, etc. 

Time limits on availability could also be Implemented by active control for the 
head end, by the sending of specific add/remova control massages to the ONU 
to cause the permitted list to be updated. This would obviate tha provision of a 
raal-tima clock In each ONU. 

The permitted list used to vet channel request may be associated either wtth the 
ONU as a whole, and therefore apply equally to each STB or PC receiving 
service through It, or to each individual STB/PC receiving service. In the latter 
way, distinct STB's may have separata channel access controls applied to 
support, for example, parental control of children's viewing; STB's in children's 
rooms receive only channels targeted to children; -adult" material subscribed to 
Is available onfy to adulte in the houiehold. 

Referring now to Figure 4, the Invention described above Is also not limited to the 
direct connection of individual STB'b or PCs to the ONU. in a lurthor 
embodiment shown In Figure 4, a ssoond ONU 30a Is shown connected, via the 
access network, to OLT 120. The arrangement also has a customer premises 
network 81 connected to a user port on the ONU. The customer premises 
network comprises an STB 812 and a PC 811 connected via a switch 613 (for 
example an Ethernet switch) to the access connection to ONU aoa. in this way a 
single ONU may support several customer premises (for exampla In a multiple 
dwelling unit, or along a street), in auch a configuration the ONU may comprise 
permitted channel lists per ONU customer port, or per STB/PC. Whilst this 
arrangement Increases the complexity of the ONU, It reducee the number of 
ONU to be deployed thereby potentially reducing operator costs. 

Furthermors, whilst the above description has been presented In terms of multi- 
cast signals and IGMP signaling and channels carried over IP; the underlying 
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method of vetting channel requests from U3ers Is clearly Independent both of the 
multi-cast nature of the signals requested access to point-to-point elgnals in 
non-multl-cast networks' can be controlled In the same way -and of the specific 
signaling and broadcast protocols used. 

5 It wilt easily be seen that the present Invention can be appfled to other services 
delivered using multicast, such as audio, software distribution and general push- 
oriented content delivery. 

Any range or device value given herein may be extended or altered without 
losing the effect sought, as will be apparent to the skilled person for an 
10 understanding of the teachings herein, 
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1. A network access unit (30) for restrtctlne user access to signals 
transmitted on a local access network (20) and comprising: 

a port for receiving a channel request from a user; 

5 a channel request vetting unit (37) for vetting the request with 'aspect 

to a predetermined list (39) of permitted channels; 

a transmitter (38) for forwarding the channel request reeponalve to the 

vetting. 

2. A network aooess unit according to claim 1 additionally com prising: 

io a receiver (31) arranged to receive control signals from a network 

headend for updating the permitted list. 

3. A network access unit according to any one of clalma 1-2 additionally 
fn which a time Is associated with at least on© channel In the predetermined list 
of channels and In which the channel vetting unit veto a request for the at 

u least one channel with rasped to the time. 

4. A network access unit according to any one of claims 1 -3 In which the 
iDcal access network ie a shared medium access network. 

5. A network access unit according to any one of claims 1-4 arranged to 
receive signals over an optical medium, 

20 6. A customer premises equipment comprising a network access unit 
according to any one of olalms 1-6. 

, 7, An optical access network comprising • a network accaaa unit 

according to any one of claims 1-5. 

8. A service provider server (10) arranged for connection to a network 

25 and comprising: 

a transmitter (111) for transmitting one ormora content channels and 
channel control signals to a remote network access unit (30) containing a 
permitted channel list (38); 
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In which the control signals are Intended to update tho permitted ohanno! Hat so 
as to control subscriber access to the transmitted content channels. 

8. A servicB provider server according to daim b In which the control 

signals contain time-related Information for association In the permitted list with 
□ne or mors channels, 

10. A method of restricting user access to signals transmitted on a local 
scceee network comprising the steps of: 

receiving a channel request from a user at a first port; 

vetting (37) the request with respect to a predetermined list of 
permitted channels; 

forwarding (38) the request responsive to the vetting. 

11. A method according to claim 10 additionally comprising the steps of: 
receiving (31) a control signal from a network headend; 

updating the permitted list (39) responsive to the control signal. 

12. A method according to any one of claims 10-11 where additionally 
comprising the steps of: 

associating a time with at least one channel In the predetermined list 
of channels; 

vetting the request with respect to the time. 

13. A method according to any one of claims 10-12 In which the channel 
request la carried In an IGMP message. 

14. A method of operating a service provider server (10) comprising the 
steps of ; 

transmitting one or more content channels and channel oontro! 
signals to a remote network access unit (30) containing a permitted channel list 
(39); 

In which the control signals are intended to update the permitted 
channel list so as to control subscriber access to the transmitted control 
channels. 
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15. A method according to claim 1 4 additionally comprising the ateps of: 
receiving a user Initiated request to ohange channel subscription 

details ; 

transmitting a permitted channel list update signal responsive thereto 
5 to a remote network access unit associated with the ueer. 

16. A use of an IQMP vetting function {37) In customer premises 
equipment to provide secure multicast over a network. 

17. A uae of an IQMP vottlng function (37) and a network rscelva address 
filter (32) In customer premises equipment to provide secure multicast over a 

10 network, ' 

18. A program for a computer on a machine readable medium arranged 
. to: 

recefva a channel request from a user at a first port; 

vet (37) the request with respect to a predetermined list of permitted 
15 channels (39); 

forward the request responsive to the vetting (38). 

19. A control signal intended tor transmission to a network acceBs unit 
(30) having a permitted channel list (39), comprising at least one message 
comprising network access unit permitted channel list update information, 

20 20. A control signal according to claim 19 In which the at least one 
messago contains time-related information for association In the permitted 
channel list (39) with one or more channels. 

21. A control signal according to any one of claims 18-20 in which the 
control signals comprise IQMP messages. 

7S 
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